[or-cvs] flagday] handle nicknames and connection init properly; go ...

Sat Apr 17 18:15:02 UTC 2004

Update of /home/or/cvsroot/src/common
In directory moria.mit.edu:/tmp/cvs-serv5386/common

Modified Files:
      Tag: tor-0_0_6incompat
	tortls.c 
Log Message:
[flagday] handle nicknames and connection init properly; go to cert chains. something still odd w/tls

Index: tortls.c
===================================================================
RCS file: /home/or/cvsroot/src/common/tortls.c,v
retrieving revision 1.42.2.1
retrieving revision 1.42.2.2
diff -u -d -r1.42.2.1 -r1.42.2.2

--- tortls.c	17 Apr 2004 01:37:27 -0000	1.42.2.1
+++ tortls.c	17 Apr 2004 18:15:00 -0000	1.42.2.2
@@ -44,8 +44,9 @@
 };
 
 static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa,
-                                        crypto_pk_env_t *identity,
-                                        const char *nickname);
+                                        crypto_pk_env_t *rsa_sign,
+                                        const char *cname,
+                                        const char *cname_sign);
 
 /* global tls context, keep it here because nobody else needs to touch it */
 static tor_tls_context *global_tls_context = NULL;
@@ -132,24 +133,26 @@
 /* Generate a self-signed certificate with the private key 'rsa' and
  * identity key 'identity and commonName 'nickname'.  Return a certificate
  * on success, NULL on failure.
+ * DOCDOC
  */
 X509 *
 tor_tls_create_certificate(crypto_pk_env_t *rsa,
-                           crypto_pk_env_t *identity,
-                           const char *nickname)
+                           crypto_pk_env_t *rsa_sign,
+                           const char *cname,
+                           const char *cname_sign)
 {
   time_t start_time, end_time;
-  EVP_PKEY *id_pkey = NULL, *pkey=NULL;
+  EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
   X509 *x509 = NULL;
-  X509_NAME *name = NULL;
+  X509_NAME *name = NULL, *name_issuer=NULL;
   int nid;
 
   tor_tls_init();
 
   start_time = time(NULL);
 
-  assert(rsa && nickname);
-  if (!(id_pkey = _crypto_pk_env_get_evp_pkey(identity,1)))
+  assert(rsa && cname && rsa_sign && cname_sign);
+  if (!(sign_pkey = _crypto_pk_env_get_evp_pkey(rsa_sign,1)))
     goto error;
   if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,0)))
     goto error;
@@ -167,12 +170,21 @@
                                    "TOR", -1, -1, 0))) goto error;
   if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
   if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
-                                   (char*)nickname, -1, -1, 0))) goto error;
+                                   (char*)cname, -1, -1, 0))) goto error;
+  if (!(X509_set_subject_name(x509, name)))
+    goto error;
 
-  if (!(X509_set_issuer_name(x509, name)))
+  if (!(name_issuer = X509_NAME_new()))
     goto error;
-  if (!(X509_set_subject_name(x509, name)))
+  if ((nid = OBJ_txt2nid("organizationName")) == NID_undef) goto error;
+  if (!(X509_NAME_add_entry_by_NID(name_issuer, nid, MBSTRING_ASC,
+                                   "TOR", -1, -1, 0))) goto error;
+  if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
+  if (!(X509_NAME_add_entry_by_NID(name_issuer, nid, MBSTRING_ASC,
+                                (char*)cname_sign, -1, -1, 0))) goto error;
+  if (!(X509_set_issuer_name(x509, name_issuer)))
     goto error;
+
   if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
     goto error;
   end_time = start_time + CERT_LIFETIME;
@@ -180,7 +192,7 @@
     goto error;
   if (!X509_set_pubkey(x509, pkey))
     goto error;
-  if (!X509_sign(x509, id_pkey, EVP_sha1()))
+  if (!X509_sign(x509, sign_pkey, EVP_sha1()))
     goto error;
 
   goto done;
@@ -190,12 +202,14 @@
     x509 = NULL;
   }
  done:
-  if (id_pkey)
-    EVP_PKEY_free(id_pkey);
+  if (sign_pkey)
+    EVP_PKEY_free(sign_pkey);
   if (pkey)
     EVP_PKEY_free(pkey);
   if (name)
     X509_NAME_free(name);
+  if (name_issuer)
+    X509_NAME_free(name_issuer);
   return x509;
 }
 
@@ -228,7 +242,9 @@
   crypto_dh_env_t *dh = NULL;
   EVP_PKEY *pkey = NULL;
   tor_tls_context *result = NULL;
-  X509 *cert = NULL;
+  X509 *cert = NULL, *idcert = NULL;
+  char nn2[1024];
+  sprintf(nn2, "%s <identity>", nickname);
 
   tor_tls_init();
 
@@ -237,8 +253,9 @@
       goto error;
     if (crypto_pk_generate_key(rsa)<0)
       goto error;
-    cert = tor_tls_create_certificate(rsa, identity, nickname);
-    if (!cert) {
+    cert = tor_tls_create_certificate(rsa, identity, nickname, nn2);
+    idcert = tor_tls_create_certificate(rsa, identity, nn2, nn2);
+    if (!cert || !idcert) {
       log(LOG_WARN, "Error creating certificate");
       goto error;
     }
@@ -260,6 +277,8 @@
     goto error;
   if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
     goto error;
+  if (idcert && !SSL_CTX_add_extra_chain_cert(result->ctx,idcert))
+    goto error;
   SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
   if (isServer) {
     assert(rsa);
@@ -303,7 +322,7 @@
     SSL_CTX_free(result->ctx);
   if (result)
     free(result);
-
+  /* leak certs XXXX ? */
   return -1;
 }
 
@@ -531,7 +550,6 @@
 {
   X509 *cert = NULL;
   EVP_PKEY *id_pkey = NULL;
-  RSA *rsa = NULL;
   time_t now, t;
   int r = -1;
   if (!(cert = SSL_get_peer_certificate(tls->ssl)))
@@ -563,8 +581,6 @@
     X509_free(cert);
   if (id_pkey)
     EVP_PKEY_free(id_pkey);
-  if (rsa)
-    RSA_free(rsa);
   return r;
 }
 

